The Role of Law in Supporting Secondary Uses of Electronic Health Information

See, e.g., Safran C. Bloomrosen M. Hammond W. E. , “Toward a National Framework for the Secondary Use of Health Data: An American Medical Informatics Association White Paper,” Journal of the American Medical Informatics Association 14, no. 1 (2007): 1–9.

Centers for Disease Control and Prevention (CDC), “Status of State Electronic Disease Surveillance Systems – United States, 2007,” Morbidity & Mortality Weekly Report 58, no. 29 (2009): 804–807.

Blumenthal D. Tavenner M. , “The ‘Meaningful Use’ Regulation for Electronic Health Records,” New England Journal of Medicine 363, no. 6 (2010): 501–504; Hoffman S. Podgurski A. , “Big Bad Data: Law, Public Health, and Biomedical Databases,” Journal of Law, Medicine & Ethics 41, no. 1, Supp. (2013): 56–60.

See, e.g., Petersen C. DeMuro P. Goodman K. W. , “Sorrell v. IMS Health: Issues and Opportunities for Informaticians,” Journal of the American Medical Informatics Association 20, no. 1 (2013): 35–37.

See, e.g., Sengupta S. Calman N. S. Hripcsak G. , “A Model for Expanded Public Health Reporting in the Context of HIPAA,” Journal of the American Medical Informatics Association 15, no. 5 (2008): 569–570.

Pub. L. No. 104–191, 110 Stat. 1936 (allowing stricter state privacy restrictions).

45 C.F.R. § 164.512(a), (b), (i) (2013) (stipulating that the provider must account for these disclosures to the patient when requested); CDC, “HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services,” Morbidity & Mortality Weekly Report 52, no. 1 (April 11, 2003): 1–12, available at <http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm> (last visited February 4, 2015).

See, e.g., 45 C.F.R. § 164.514(e) (2013); see also Sengupta , supra note 6.

45 C.F.R. § 164.501 (2013) (defining health-care uses of PHI); U.S. Department of Health & Human Services, OCR Privacy Brief: Summary of the HIPAA Privacy Rule 4–10 (2003) [hereinafter cited as OCR Privacy Brief], available at <http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf> (last visited February 4, 2015).

Burke T. , The Health Information Technology Provisions in the American Recovery and Reinvestment Act of 2009: Implications for Public Health Policy and Practice, 125 Pub. Health Rep. 141 (2010).

42 U.S.C.A. § 300jj-31 (2009) (enacted as part of the American Recovery and Reinvestment Act of 2009); 45 C.F.R. 158.151 (2011); 42 C.F.R. 495.6 (2013) (including a variety of health-care quality measures).

HealthIT.gov, “Meaningful Use Criteria and How to Attain Meaningful Use of EHRs,” available at <http://www.healthit.gov/providers-professionals/how-attain-meaningful-use> (last visited February 4, 2015).

Menon A. Ramanathan T. Schmit C. , “Assessing the Impact of Laws Related to Electronic Health Information,” Poster Presentation at the American Public Health Association Annual Meeting (November 18, 2014). These data were collected in January 2014 from WestlawNext® searches using terms such as health, medical, record, database, electronic, digital, computer, internet, web-based, automated, health information exchange, health information technology, and health information organization. Use categories were defined from a PubMed literature review of scholarly articles published since 2009, and provisions were blind-coded with rigorous coding criteria by two or more licensed attorneys according to principal reference or cross-reference for each category.

Id. (from research examining statutes and regulations from Florida, Indiana, Kansas, Maryland, Michigan, Minnesota, New Hampshire, New York, Oregon, Tennessee, Texas, and Virginia).

This analysis does not capture the implementation or enforcement of these provisions or agreements that exist outside state law to facilitate EHI access or use. Therefore, this research cannot be used to infer the extent to which a state is leveraging its legal authority to use EHI.

See, e.g., N.H. Code Admin. R. Ann. He-W 950.06 (2006) (implementing HIPAA rules at 45 C.F.R. § 164.514(e)(1)).

See OCR Privacy Brief, supra note 10, at 9; CDC, “BioSense Background,” available at <http://www.cdc.gov/biosense/background.html> (last visited February 4, 2015).

45 C.F.R. § 164.514(e)(2) v (2013); Sengupta , supra note 6, at 569–570.

See, e.g., Or. Admin. R. 943-014-0415 (2014) (implementing the HIPAA Privacy Rule at 45 C.F.R. § 164.502(e)).

45 C.F.R. § 160.103 (2014); see also the American Recovery & Reinvestment Act of 2009, which expanded the regulations on privacy of electronic health records and extended privacy protection to EHRs received and retained by business associates of covered entities (Am. Recovery & Reinvestment Act of 2009, Pub. L. No. 111–5, §§ 13401, 13402, 123 Stat. 115).

Restatement I of the Data Use and Reciprocal Support Agreement (2014), available at <http://healthewayinc.org/images/Content/Documents/Application-Package/restatement_i_of_the_dursa_9.30.14_final.pdf> (last visited February 4, 2015).

5 U.S.C. § 552a (2010) (amending the Privacy Act of 1974); 32 C.F.R. § 310.53 (2007).

See HealthIT.gov, “Inter-Organizational Agreements,” available at <http://www.healthit.gov/policy-researchers-implementers/inter-organizational-agreements> (last visited February 4, 2015); CDC, Public Health Law Program, “Model Memoranda of Understanding,” available at <http://www.cdc.gov/phlp/publications/type/mmou.html> (last visited February 4, 2015).